fix(helm-chart): minimize role

Author: yetone

controllers/resources/bentorequest_controller.go

@@ -1551,7 +1551,8 @@ echo "Done"
 	// nolint: gosec
 	buildArgsSecretName := "yatai-image-builder-build-args"
 	r.Recorder.Eventf(opt.BentoRequest, corev1.EventTypeNormal, "GenerateImageBuilderPod", "Getting secret %s from namespace %s", buildArgsSecretName, configNamespace)
-	buildArgsSecret, err := kubeCli.CoreV1().Secrets(configNamespace).Get(ctx, buildArgsSecretName, metav1.GetOptions{})
+	buildArgsSecret := &corev1.Secret{}
+	err = r.Get(ctx, types.NamespacedName{Name: buildArgsSecretName, Namespace: configNamespace}, buildArgsSecret)
 	buildArgsSecretIsNotFound := k8serrors.IsNotFound(err)
 	if err != nil && !buildArgsSecretIsNotFound {
 		err = errors.Wrap(err, "failed to get secret")

helm/yatai-image-builder/templates/_helpers.tpl

@@ -36,7 +36,11 @@ yatai-common-env
 {{- end }}
 
 {{- define "yatai-image-builder.yatai-rolename-in-yatai-system-namespace" -}}
-yatai-common-env
+yatai-role-for-yatai-image-builder
+{{- end }}
+
+{{- define "yatai-image-builder.yatai-with-yatai-image-builder-rolename" -}}
+yatai-with-yatai-image-builder
 {{- end }}
 
 {{/*

helm/yatai-image-builder/templates/clusterrolebinding.yaml

@@ -10,4 +10,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "yatai-image-builder.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-

helm/yatai-image-builder/templates/role-in-yatai-system-namespace.yaml

@@ -8,6 +8,9 @@ rules:
   - ""
   resources:
   - secrets
+  resourceNames:
+  - {{ include "yatai-image-builder.yatai-common-envname" . }}
+  - {{ include "yatai-image-builder.shared-envname" . }}
   verbs:
   - get
   - list

helm/yatai-image-builder/templates/role-yatai-in-yatai-system-namespace.yaml

@@ -8,6 +8,9 @@ rules:
   - ""
   resources:
   - secrets
+  resourceNames:
+  - {{ include "yatai-image-builder.yatai-common-envname" . }}
+  - {{ include "yatai-image-builder.shared-envname" . }}
   verbs:
   - get
   - list

helm/yatai-image-builder/templates/role-yatai-with-yatai-image-builder.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: yatai-with-yatai-image-builder
+  name: {{ include "yatai-image-builder.yatai-with-yatai-image-builder-rolename" . }}
   namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups:
@@ -24,6 +24,8 @@ rules:
   - ""
   resources:
   - configmaps
+  resourceNames:
+  - yatai-image-builder-config
   verbs:
   - get
   - list
@@ -97,6 +99,9 @@ rules:
   - ""
   resources:
   - secrets
+  resourceNames:
+  - {{ include "yatai-image-builder.envname" . }}
+  - yatai-image-builder-build-args
   verbs:
   - get
   - list

helm/yatai-image-builder/templates/role.yaml

@@ -8,6 +8,8 @@ rules:
   - ""
   resources:
   - secrets
+  resourceNames:
+  - yatai-image-builder-build-args
   verbs:
   - get
   - list
@@ -16,6 +18,8 @@ rules:
   - ""
   resources:
   - configmaps
+  resourceNames:
+  - yatai-image-builder-config
   verbs:
   - get
   - list

helm/yatai-image-builder/templates/rolebinding-yatai-with-yatai-image-builder.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: yatai-with-yatai-image-builder
+  name: {{ include "yatai-image-builder.yatai-with-yatai-image-builder-rolename" . }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: yatai-with-yatai-image-builder
+  name: {{ include "yatai-image-builder.yatai-with-yatai-image-builder-rolename" . }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.yataiSystem.serviceAccountName }}